Re: IIS Services Stop if Virtual Root Deleted on Disk

From: Tony Chow (tchow@BLUETENTACLE.COM)
Date: 02/06/02 

Date:         Tue, 5 Feb 2002 16:37:03 -0800
From: Tony Chow <tchow@BLUETENTACLE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I tried this on Win2000, and it doesn't seem to happen on IIS5.

If this indeed is an issue in IIS4, here's something that *may* help.
If a client relies on the admin end to *create* a virtual root, then as
a matter of course they should also rely on the admin end to *delete*
both the virtual root and the folder associated with it. The solution
here then is to prevent the client from deleting the root folder, and
thus from braking the virtual web and taking the IIS down with it,
without compromising their ability to work with folders and files
underneath it. No deletion, no crash.

To do so, we need to modify the ACL on the folder so as to deny the
delete permission on that folder and *only* on that folder, so that the
client can still have unimpeded access to subfolders and files. This is
not possible to do under the NT4 interface. But if you set up the ACL
across the network from a Win2K system, NT4 with the latest SP will
honor it.

Here's an example. Let's say you want to take away a client's
permission to delete a folder on an NT4 IIS server without denying their
ability to delete, modify, and read subfolders and files. From a
Windows 2000 node, you would open up that folder in Explorer by typing:

\\nt4iis\somedrive$\somefolder

Go into that folder's Properties->Security. First make sure that the
group to which the client account belongs has Change access to the
folder. Having done that, click on the Advance button, and add an ACE
that affects "this folder only" and just check the Deny->Delete
checkbox. OK all the way through. Now the client should can add,
modify, and delete stuff inside this folder but cannot delete the folder
itself.

Note that once you've modified a folder's ACL in this manner, you can no
longer edit it in NT4 without losing NTFS 5-specific features such as
the denial ACEs. In this case, however, you may still edit the
permissions on subfolders and files, because they are not affected by
the Deny Delete ACE.

Of course, this assumes that you have a Win2K system, any Win2K system,
on your network.

Corrections are welcome.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by VeriSign - The Internet Trust Company
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!
http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo